News that new versions of an old worm - Agent.btz – which attacked the US military back in 2008 are still appearing, and causing problems for today's Milsec professionals, confirms Idappcom's strategy of boosting the efficiency of an organisation's IT security defences.
According to Ray Bryant, CEO of the data traffic analysis and security specialist, with many tens of thousands of new malware and attack variants arriving daily in cyberspace, it is natural that the focus of IT security defence strategies will be on the latest attack methodologies. "Many IT security technology users assume - incorrectly as it turns out - that the older attack vectors used by malware, phishing attacks and other electronic nasties, are all countered by today's IPS, IDS, UTM or firewall systems, but the reality is that old attack vectors can be modified and re-used by cybercriminals," he said.
The real hackers are possibly creating very few new attacks and if they do security devices will not detect them if they don’t know what they are looking for. The constantly quoted ‘thousands of new attacks each day’ has to be read with scepticism. More accurately, the statement should be that the many variants of existing attacks number in the thousands. Script kiddies thrive on them; there are tools out there to help them; not so much skill is needed.
These variants test the ability of the security rules (Signatures) to recognise the vulnerability being exploited, and the audit and pen testing tool to provide samples (Traffic) that truly test the capability of the rule." As this revealing Reuters report notes, these revitalised darkware elements can then try to slide in under a firm's IT security defences, which makes it imperative that a company's ITsec platforms are operating at peak efficiency," he added.
According to Bryant, whose company offers the industry's most advanced automated auditing and penetration testing solution in the market, the reality with IT security defences - no matter what strategy they employ - is that there are only so many processor cycles to go around. Put simply, he explained, this means that an IT security platform needs to be regularly tuned and refined over time, in order to balance the areas of defence it needs to focus on.
And the more efficient the security platform is, he said, the more cycles there are to cope with less popular attack vectors, such as reworked and re-energised malware, as exemplified by the Agent.ntz worm which is now causing headaches for President Obama's military IT specialists. The story here, says the Idappcom CEO, is that old worms and viruses can never be ignored. They may appear to offer a lesser risk profile than today's headline attack code, but the reality is that they will pose a risk - and a risk that needs to be countered. Modern IT security, said Bryant, is all about balancing risk with the costs of provisioning security. In an ideal world, an IT manager would deploy as varied a selection of security defences as is required to 100 per cent defend against all attack methodologies.
"In the real world, however, this isn't going to happen, so it makes sense to optimise an organisation's existing ITsec defences, and the way to do this is to use automated auditing and pen testing systems such as our Traffic IQ offering," he said. Traffic IQ has a library of over 4,500 traffic files that have been built since 2004. They are built only after vigorous testing to ensure that a/ they really do work and b/they are not simply variants of an existing file that should be stopped by the same signature/rule. Some of these files have versions that test the evasion technique as well as the original threat.
Traffic IQ now has a very well crafted security rule for each exploit, this allows a simple test-fix (import rule)-test again cycle, to provide immediate protection. The rules are built to detect the vulnerability and the traffic files have the necessary variations (if needed) to an exploit that will test that rule. Bryant added, “This is somewhat different to the many claims made by some other vendors that they have ‘thousands of rules or malicious traffic’ depending of course on what they are selling. Don’t be fooled, any idiot can make hundred of rules based on the many exploit variations that relate to one vulnerability” Bryant said, “Security devices vary between manufacturers, what the default configurations offer, and what the needs of each individual set-up are. The only way to enhance security is to audit and test regularly and in a real world live environment” He went on to say, “In my mind the issue is simple, no matter what other testing you do the only true test is ‘Does the malicious traffic pass through my device and do I want it to?’ If it does get through and you don’t want it to then you have to either configure correctly or add the security rule to stop it. Proper and regular audit and fix, retest cycle will save most companies millions of dollars in expenditure on new devices that could just repeat the same poor job, just faster.”
NSS labs issue group test reports each year, around October. The last two reports have highlighted two major failings with many IPS/IDS providers. The first is the apparent inability to identify Malicious traffic that has had even the most basic evasion techniques applied and the other is the ‘habit’ of dropping older signatures in favour of newer signatures to maintain speed of throughput. Hackers know this, that’s why old attacks are either revived or simply altered (evasion applied) to get through current defences. The report says that some very well known (expensive) devices are as good as useless due to this omission.
The reports are very extensive and recommended reading by serious IT security professionals. "It's shame that that the US military have been publicly exposed as having such major problems, from avoidable threats. Maybe they will notice that Traffic IQ is on the list of approved products and consider it as a useful part of their defence mechanism and not just throw millions of dollars at the problem," he added. "In the real world, IT professionals do not have the budget that their US MilSec peers do. And for them, automated auditing and pen testing technology is the optimum way forward."